News
Next Seminar on 9.12.2020
Written on 03.12.2020 15:34 by Stella Wohnig
Dear All,
the next seminar(s) take place on 9.12. at 14:00.
Reminder: You should always upload your talk info until Wednesday night BEFORE the week of your talk.
Session A 14:00-15:00:
Alexander Rassier - Anania Tesfaye
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B
Vera Resch - Andreas Hanuja - Pavithra Krishna
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Alexander Rassier
Type of talk: Master Final
Advisor: Dr.-Ing. Ben Stock
Title: CIDeR: Automatically Implementing Nonce-Based Content Security Policies
Abstract:
Not a single day goes by without the majority of people using the Web for work and leisure, which is why Web sites are a primary target for malicious attackers. Server-Side Cross-Site Scripting is still considered one of the most dangerous vulnerabilities in the Web. There are many ways to mitigate the effects of malicious scripts, such as the Content Security Policy (CSP), but research has shown that creating a secure CSP is a difficult endeavour: Less than 10\% of Web sites that deploy one do it in a way that cannot be easily bypassed. Most Web developers struggle with creating a secure CSP that does not break the functionality of the Web site by blocking too much.
In order to help with the generation and deployment of a secure and usable CSP for Django Web applications we have created CIDeR ("CSP Implementation Done Right"), an Intellij/PyCharm plugin for automatically implementing a secure nonce-based CSP. We then evalutated this tool on several popular Django applications on GitHub -- also in comparison to other tools that offer automatic CSP generation -- in order to confirm the security of the created CSPs. Furthermore, we conducted a pilot study in order to evaluate the usability and perceived security of our plugin.
Our evaluation shows that CIDeR is able to automatically generate and deploy secure nonce-based CSPs for Django projects without breaking any functionality of the Web site. These CSPs are shown to be more secure than the ones generated by the other automation tools. Moreover, CIDeR seems to be usable and able to assist developers in creating a secure CSP, even without them having a deeper knowledge of client-side Web security or the security mechanism itself.
14:30-15:00
Speaker: Anania Tesfaye
Advisor: Ben Stock
No info provided
15:00-15:30
No talk this week. If you want to speak, mail bamaseminar@cispa.saarland
Session B:
14:00-14:30
Speaker: Vera Resch
Type of talk: Master Intro
Advisor: Dr. Rahul Gopinath
Title: URL-Fuzzing
Abstract: Uniform Resource Locators(URLs) allow to quickly and precisely navigate today's web. Similar to the specifications of other web standards, such as HTML, the WHATWG maintains the URL specification as a living standard. However, because different applications use URLs for a multitude of purposes, there exists a variety of implementations of URL parsers, most of which claim to follow the URL standard.
This thesis uses grammar-based fuzzing together with a grammar of the current URL standard to examine how close the relationship between URL parsers and the standard is. In detail, this consists of testing the URL parsers included in the browsers Firefox and Chromium, as well as a selection of stand-alone URL parsers with inputs generated by executing a grammar-based fuzzer on the URL grammar. Additionally, this thesis evaluates the errors encountered during test execution as well as the code coverage achieved in the selected URL parsers.
14:30-15:00
Speaker: Andreas Hanuja
Type of talk: Bachelor Thesis Final Talk
Advisor: Prof. Dr. Andreas Zeller
Title: Generating and Parsing Binary File Formats with FormatFuzzer
Abstract:
Modern fuzzers are used worldwide for automated software testing and to regularly find weak points in common programs. Many randomly generated inputs are used to search for errors in the program flow. But if the input files expected by the target program must have a complex structure, it is hardly possible to generate useful input by pure chance.
Thus, current research tries to modify the fuzzer, by giving it background knowledge about the expected input structure.
In contrast to previous proposals, we use a novel framework called FormatFuzzer. FormatFuzzer automatically compiles high-efficiency generators and parsers from a file format specification. In this work, we propose how we can extend existing specifications to support new formats. We use the synthesized generators to evaluate different metrics, like their speed, the correctness of the outputs, and the variety of generated files. If we combine our generators with American Fuzzy Lop (AFL), we expect that we can increase the efficiency of AFL in fuzzing programs that parse binary files.
15:00-15:30Speaker: Pavithra Krishna
Advisor Andreas Zeller
No info provided